25
May
image
Last Updated: May 28th, 2013

Syrian Electronic Army, a hacking group responsible for several visible attacks in the last few weeks, has evidently taken control of BSkyB's Sky apps in the Play Store, replacing the promo headers with SEA's logo, and the app descriptions with "Syrian Electronic Army Was Here."

image

unnamed (1) unnamed (2) unnamed

In a tweet earlier, BSkyB's Twitter account (which we now know was also compromised) warned its users to uninstall all Sky apps, as they "were hacked and replaced." Indeed, BSkyB's apk files were replaced by the hacking group.

Syrian Electronic Army, the group behind the infiltration, is also responsible for attacks on the Washington Post, Al Jazeera, Human Rights Watch, Financial Times, the Onion and many others (including Twitter accounts belonging to ITV and BBC Weather), and are "enemies of Anonymous," according to an interview reported on Vice. Earlier today, it was reported that the group attempted an attack on the water system in Haifa, a city in northwestern Israel.

So, how did the attack happen? The most likely answer is that the SEA somehow stole BSkyB's signing keys and the developer account password. If the signing keys were not compromised, the Play Store would not allow the apps to update. Depending on how this attack was executed, the implications could be quite considerable.

Any resolution would likely involve stopping use of the account, pulling the apps from the store entirely, and potentially force uninstalling them from users' devices.

Update #1 (5-26 at 12:30am Pacific): At the time of this update, all affected Sky apps have been removed from the Play Store.

Update #2 (5-26 at 11:00am Pacific): CNET reports (through contact with a Sky spokesperson) that BSkyB's Twitter feed was also compromised, and that the warning mentioned above did not come from BSkyB itself. The broadcaster assures readers "we will provide a further update when we have more information."

Now that we know BSkyB's Twitter account was also hacked, it is possible (if not likely) that the .apk files in the Play Store were not actually replaced after the developer account was compromised. After all, changing the app description and promo images would be much easier than obtaining the signing keys for the apps, and the only real evidence available that the .apks were altered came in the form of a tweet that we now know was fake.

Strangely, the tweets are still up at the time of writing, indicating that perhaps BSkyB doesn't have access to the account. If in fact the SEA's attack began with a service like – for example – BSkyB's email, compromising its Twitter account would be a snap.

Any definitive information on just how the attack was carried out (or when it will be resolved) remains to be seen, but we'll keep you updated.

Update #3 (5-28 at 9:29pm Pacific): BSkyB has apparently regained control of its Twitter account, sending out a series of tweets officially acknowledging the attack and updating users on the current situation.

There's still no word on just when BSkyB will be able to re-release their apps, or how current users will be affected, though the company assures readers that previously downloaded apps will continue to work normally.

Thanks, Paul!

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • Saravana Kumar Karthikeyan

    They could have updated the apps with malware ... they just are not smart enough !!

    • http://www.androidpolice.com/ Artem Russakovskii

      They did enough to spread their message and make people notice.

    • Sukh

      If they were able to attack Washington Post, Al Jazeera, Human Rights Watch, and so on... they're smart enough. Their goal was to get the message across, which they did.

      • lewishnl

        I don't agree at all. They don't seem to be very talented, just very good at phishing (which doesn't make them app developers, server hackers, etc.) and this seemingly allowed them access to Sky's signing keys and passwords. The weird and really amazing thing is that this seems to suggest that Sky stored their signing keys and passwords in the same place or that they stored their signing keys in Google developer account (accessible with that password), sounds like a really bad security failing on Sky's behalf here...

        • http://www.androidpolice.com/ David Ruddock

          More likely, whoever develops Sky's apps has a Google account with group access and the credentials were stored in an insecure way (eg, a Dropbox folder that at some point had a URL generated, open directory on a webpage, etc). From there, either the signing key was in that same repository, or a quick Gmail / GDrive search revealed it.

          Apps like this are pretty regularly farmed out to operations in India / Eastern Europe where teams of developers, often working remotely, are responsible for the app's upkeep. Even if the app was originally developed by a more reputable studio, updates and maintenance may get handed off to someone else for the sake of cost. Sky may have an "app guy" that writes the Google Play description back in the UK, but my bet is that the credentials to this dev account have been passed around a lot.

          Tl;dr - don't commit your credentials to record unless you know for a fact they'll be stored securely, a policy almost no one, sadly, actually follows.

  • Mehmet Fatih

    damn Assad!

    • HellG

      People need to help the syrian freedom fighters, They are losing the battle as Al-Asad got help from Hizballuah!!! Where the FUCK is the UN?!

      • Ali Moughnieh

        Al Qaeda is fighting in syria no freedom fighters. Stop whining UN will not make a move because Israel is not ready for a war with Hizbullah

        • HellG

          Are you delusional?! Al Qaeda ad Hizbullah fighting each other?! and for whom a falling regime?!, If you think the rebels in syria are terrorists then you really need to stop watching Fox News and see the massacres Al-Asad do to these people and that most of these "Terrorists" are normal people that just want to be free...

          • Ali Moughnieh

            I don't watch Fox news, I know people who died there. If you think those who gave the little kid a knife and made him cut a man's head, and that who ripped off a Syrian soldier's heart and put it in his mouth are freedom fighters, then I wonder What Al Qaeda would be.

          • http://www.androidpolice.com/ David Ruddock

            This isn't the sort of place for a political discussion, context of the hacked app aside. Please keep it Android related.

          • HellG

            Sorry Daiv , I got carried away, as i swear to you what is happening to these people is horrible, will get back to talking only about android now :)

          • Dima Zahraddin

            Haha you thing Al Qaeda and Hezbollah are buddies? Hezbollah are shias. Al Qaeda despise shias, they consider them to be infidels and have woved to kill all the shias in Syria. Assad is alawite (in short, a type of shia). Hezbollah is not only fighting Al Qaeda in Syria but also in Lebanon. Open war between Hezbollah + other shias and the wahhabis in the north of Lebanon.

            The so called rebels in Syria are sectarian filth who wants to cleanse Syria of christians, druze, shias and alawites. They've pledged allegiance to al Qaida.

            https://www.youtube.com/watch?v=IosQRnPtbk0
            https://www.youtube.com/watch?v=B2rx8fjeCCw
            https://www.youtube.com/watch?v=-AKVBHEFyC0

            If you are american, these fucks get a cut from your taxes.

            Oh and also they're cannibals.
            https://www.youtube.com/watch?v=m42vf5-WR1Y

        • Observer

          Freedom fighters, my balls. They're a bunch of F'in terrorists. Freedom fighters dont bomb civilians or use chem weapons. Dictators are no good but terrorists are no better.

          • http://www.androidpolice.com/ David Ruddock

            This discussion is not going any further, any more comments on the issue are going to get flagged. This isn't Android related, and it's getting out of hand.

  • Saravana Kumar Karthikeyan

    One reason why everyone should be using two step authentication /..

    • Techpm

      2-factor authentication doesn't work for teams where more than one person neeeds to authenticate, at least not the one Google is using.

      • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

        How so? They can either have a device (or set of devices) in the office with the authenticator app set up with the code, or let every authorized developer add the code to their own devices. I have multiple accounts with 2-factor authentication turned on without any problem.

        • Techpm

          We're talking specifically about app development here, not general Google accounts.

          This hack involved 3 things: access to the Google account, the Key Store, the Key Store credentials.

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            I'm not sure, but it almost seems like you're responding to a completely different thread. Neither of us (myself or Saravana) implied that the apps didn't need to be signed or that account access wasn't necessary. I'm a developer, so I'm well aware of the basic requirements for updating an app.

            The initial point was that somebody has to be logged in to update an app, and 2-factor authentication makes it much harder to gain that access. Your first response was that the extra step doesn't work for teams, and I disagreed, or at least, left it open for you to explain how it wasn't a viable option.

          • Matt

            If you are using one Google account for your development team then you are fine. Multiple devices can be on the same two-factor authentication. You only need to authenticate once per device.

  • yodatom10

    I would think this would something Google could easily fix this

    • http://www.androidpolice.com/ Artem Russakovskii

      Nope. Once the signing key is compromised, they're fucked. Either updates won't work if Google lets them change the key on the same app (I don't think they would), or they'll have to pull all apps and introduce new ones signed by another key. And Google could mass force uninstall all compromised apps remotely.

      Either way, people will be entitled super confused and pissed.

      • http://twitter.com/powerje James Power

        Yeah, Google really needs a method to re-generate signing keys, similar to the way Apple does it would work fine - maybe it's patented?

        • http://kennydude.me/ Joe Simpson

          Erm... you generate them on your machine externally to Google like every other pub/private key system (like your HTTPS for example). I could generate as many as I want without contacting Google.

          Please research before posting rubbish.

        • lewishnl

          You're missing the point. As Joe points out, you can generate as many signing keys as you like, but as a security measure, android won't install apps with different signing keys, so basically all devices with Sky apps on them now would have to either have those current apps pulled or uninstalled (probably the later given that the apps themselves don't seem to have been compromised just the main descriptions, etc. ) and people would have to install new apps. This is why people will be super confused and pissed...

  • Hugo

    It also mean the whole ecosystem is not secure. An activist group could take control of a well known publisher account password, replace apps with data hoarders and keylogers until the published updates it's own app.

    Signature is useless, as all other market apps like amazon asks users to allow unknown sources.

    It's indeed interesting to kow what google would answer to this huge flaw!

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      This is certainly not a trivial incident, but it doesn't indicate that the whole system is broken. A hacking group can't simply pick a popular app and take it over at will. They would have to gain access to the signing keys and the account password, two things that most developers rarely store together (at least, I never have).

      In all likelihood, this group got lucky and stumbled onto a corporate file sharing server where all of the information was stored in one place.

      • Guest

        Yes Cody, can I just confirm that signing keys are completely unconnected with the Play Store insofar as you'd need them with a local apk install anyway and so the allowing unknown sources box would make no difference?

    • Nam Dang

      This incident just means that said company has shitty security policy.

      Signing is the most effective security measure we've got so far. Tell me a platform that doesn't use private key signing nowadays.

    • http://kennydude.me/ Joe Simpson

      You obviously do not understand the way the signature works. It works independently of Unknown Sources.

      You have to sign all of your applications with a private key (in this case Sky's) and it has to be the same key. All Android versions and Google Play will reject any updates to an application with a different key attached to them.

      Basically if you used your own key **every single Android device** with a version already installed signed by Sky would say "Installed failed because the certificates did not match"

  • JT

    I never really thought of something like this being possible but it makes sense. Really, it could happen to any app maker. Makes me contemplate turning auto update off for all apps.

    • blootz

      not on Apple app store... Apple's security is better and more locked tight then the Android ecosystem.

      • JT

        I meant any app maker on the play store since this is a story about android, not apple or ios.

      • Samuel Rivera

        LOL, Apple, security, I would like some of what you are smoking! The only thing CrApple does different is actually running the app personally on a device. Nothing before that is any different than Google. And even then tons of Malware and crap gets into iTunes.

      • ScottColbert

        stfu with the apple crap. They have plenty of blogs for the iZombies.

      • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

        Not really. Apple has the same basic requirement of username/password to log in and a signing key to update. The only advantage Apple offers is curation and a wait time for updates. If the app is legitimately malicious, it probably won't get through. On the other hand, that instant update ability is something most of us also love about Android...

        Of course, to improve security with Google, developers can (read: SHOULD!!!!) turn on 2-factor authentication, which Apple doesn't offer.

      • Varun Priolkar

        didn't some kids hack into apple accounts by resetting peoples accounts using their date of birth?

  • Ricky

    This makes me very worried about the safety of android. Google should implement more security regulations in its app store.

    • lewishnl

      They haven't done anything wrong. There is literally nothing more they can do. If a developer gives out their signing key and Google developer account password then Google cannot just prevent the app from being launched. Google doesn't review every android app update for a reason, most aren't malicious (in fact from the looks of it, this app update doesn't actually change the app itself at all...)

  • Ricky

    This makes me very worried about the safety of android. Google should implement more security regulations in its app store.

    • Matej Čurilla

      Google was not hacked. Devs computer had to be compromised.

  • Unimpressed

    Syria Electronic Army... Wow. Watch out for these guys, they mean business.

  • Lalit Mali

    Why did they do this? No info?

  • Samuel Rivera

    I just want to clear up some of the wrong ideas folks have.

    1. The current security implemented by Google on the app store is excellent and of the highest quality. They even offer extra security for those developers that wish to use it.

    2. The signing keys of an application are unique to the developer, and developers can generate multiple keys, the odds of this repeating is extremely, extremely low. Also sure that a few emails or some copy and pasting will allow BSky to get their application back up and with a new key in no time.

    3. All developers have the option of using a license awarded to users through the app store, in a way, a second authentication, is up to the developer to use that feature or not.

    4. Apple is not safer, quit giving that idea away. On most model iPhones (1st to 3rd gen) you can steal information in the device through text (talk about fragmentation, Apple, update your stuff and fix security holes for the 35% of your consumers still using those devices). Not too mention once the device is jailbroken is pretty much open to a million and one new possible entry points.

    • http://www.androidpolice.com/ Artem Russakovskii

      What do you mean in parts 2 and 3? What license? And what copy pasting is going to fix the situation? Their key is compromised, and there is nothing they can do about it. Guess they can leave it compromised and hope SEA will never hack their Google account again, but that just feels very dirty.

      • Samuel Rivera

        Google offers an Api for licenses. Very simple to use, open the android sdk manager and one of the items at the very bottom of the list is the Api.

        Any developer can easily change the name of their package (java). Generate a key (which by the way dispensing keys is handle by ADT on Eclipse) and simply create a new Entry for their app on their developer account and copy and paste the info over into the new entry. Of course users would have to redownload from the new location in the store, but it would theoricly by pass the current issue completely.

        • Samuel Rivera

          I wanted to point to an example of something similar to what I explained on 2.

          I develop Project Cheesecake App, and I'm currently working on fully open sourcing the app and distributing it under a new Developer account as Open Cheesecake App.

          https://play.google.com/store/apps/details?id=com.samcripp.pca
          https://play.google.com/store/apps/details?id=com.opencripp.pca

          Pay attention to the naming on the links. This is 99.9% the same app, only some minor changes, signed with a new key.

          On this other example I had my development laptop stolen (silly me). I had to completly begin anew because the keys were lost with the lappy. A simple package re-name and a copy and paste safe me from greater head aches.

          http://img42.imageshack.us/img42/1990/otherexample.png

          Of course, non of my apps get the volume of downloads, this app does, my users did not mind switching to a new download link. anyways is not impossible to get the app back on the net quickly and safe again.

          • http://www.androidpolice.com/ Artem Russakovskii

            Your solution is trivial and obvious, by all means, but by far not clean. See my answer above. Additionally, people lose all settings and logins, but at this point, that's probably not as much of a concern as getting the whole situation sorted out.

        • http://www.androidpolice.com/ Artem Russakovskii

          Of course, they can do that, but that will cause a ton of confusion and wouldn't get rid of the problem of having potentially thousands of people with a hacked/fake app on their devices unless Google remotely deletes it.

  • MJK

    Android and app security is a total joke. There are groups on the net that take bets for fun on how quick a new app can be hacked, moded, rebuilt with new permissions, etc. It's kinda sad, but most apps can be done in under five minutes. And the playstore has so many holes in it It's about as easy.

    • Samuel Rivera

      Objective C, Java, C#, Visual Basic, LUA, all prominent programming languages that can be easily decompile and modify. Nothing new here, not even c++ is safe from someone with time and patience.

    • Mooki

      As the *DEVELOPER KEYS* were stolen this has nothing to do with Android/Google security, this is purely a BSkyB/internet security in general problem. Google do not hold the signing key, just the means to verify that the valid key was used.

      It also has nothing to do with app security, any compiled application can be broken down into machine code and anyone with the expertise and tools could rebuild it in the same way, modern programming languages just make it easier.

      Apples illusion of security is no different from Google.

      • Chris louthan

        Totally agree, but I wonder if it was plain luck by this group to stumble upon the "keys", a stupid sloppy mistake by the developer, an inside job, or a flaw in the system that can be exploited in the future? More information would be great.

        This is definetly a big story and I hope we find out more.

      • CuriousCursor

        Even if signing keys are stolen, you still have two passwords (one for the keystore and one for the app).

  • mehim

    something is off in these comments ..

    • http://profiles.google.com/marcusleejh Marcus Lee

      Lol yeah, there's an obvious troll in here.

      Wonder whether this troll was jumping on Apple when Mat Honan got so easily hacked instead of blaming Honan himself...

  • jh

    Anyone feel like pointing out to BSKYB that after all their unnecessary blocking of rooted devices for 'security' the most dangerous hack on mass android devices had absolutely nothing to do with root. It wouldn't surprise me if that's the reason those guys did it, they must be or have an android dev after all...

  • David

    People, do you really think that Syrian e-army did this? This is the same thing as Afganistan terrorists, Iraq a-bomb, etc. Liam Spradlin, please think with your BRAIN, do not just report news. Lol, still can't believe.

    • lewishnl

      So who did do it? Stop talking shit. Of course they did it, the question is how and how much access/damage did they gain/cause.

    • http://www.androidpolice.com/ Artem Russakovskii

      What? You mean a hacking collective that constantly hacks Twitter feeds and sites suddenly isn't responsible for this? By what logic?

      Maybe you should take a look at http://sea.sy to see what they're up to these days.

    • CuriousCursor

      Actually e-army doesn't mean it's official. It's probably just a bunch of people calling themselves that. Like Dumbledore's army

  • master94

    So let me get this straight. They want to wage war against not just anonymous but now Google and BSkyB. They will burn. No one can beat Google in the cyber field.

  • Doug

    Anyone thought the apps weren't modified?
    Looks to me like the play account was hacked and the logos etc modified.

    The last update changes when you change the description if I'm not mistaken?

    Had it been confirmed that there were any modifications to the actual app?

    Anybody manage to recieve the modified app?

    • http://www.androidpolice.com/ Artem Russakovskii

      I was thinking the same - it's quite possible only those were replaced and not the apk. The problem is it now looks like the Twitter account was hacked as well. The one that said they were replaced. We'll update the post.

      • CuriousCursor

        Updating the APK would be impossible without having the keystore file and passwords.

  • KeepCalmAndFuckSyria

    FUck syria :D

    • Niggerlover

      Fuck your mom fucking motherfucker

  • Max Barlow

    Should we not expect an APK teardown of this then?

  • Dustin Leiblein

    One more reason for me to stick with iOS. Jesus Christ...

    • bobbutts

      Because there's no way to hack an IOS developer's Twitter account?

  • The_Chlero

    This really proves that the Android app store is higly vunerable and that Google need to redisign the whole system to something like Apple (not the policies but the security) because this is not the first one and certainly will not be the last one.

    • Brainimpact

      they got skys password and changed only the page sky say non of the apps were changed, all passwords can be compromised on any system its nothing to do with the security

  • spaceballs inc

    They should really change their password to something other than sky1234567 . You'll be surprised how many companies do that. And what is worse, it's the same password on twitter and gmail and dropbox.

  • Mie Mohd

    woah, the logo, the globe background remind me will COD Modern Warfare, this espionage cyberwar become real threat !

  • David Escalante

    And what the hell BSkyB app does?